mailing list archives
Re: Mutual Authentication scheme
From: Nick Owen <nickowen () mindspring com>
Date: Fri, 09 Mar 2007 15:41:42 -0500
I am developing a web solution for the company that I work for and would
like to have as much security as possible. SSL only authenticates the
server to the client and I would like a way to authenticate both parties
to each other. Any ideas/suggestions?
BTW: I will be using Apache 1.3.29 w/ mod_ssl, and OpenSSL v0.9.7
running on OpenBSD 4.0
Not sure if you want two-factor authentication as part of that, but both
our open source and commercial versions include mutual authentication.
The server stores a copy of the web site's ssl cert and sends a hash of
it to the token client along with the URL when an OTP is requested. The
token client goes out through the user's internet connection to the URL,
grabs the cert, hashes it and compares the two. If the hashes match, the
user is given the OTP and the default browser is launched to the correct
SSL website. On the downside, it means software on the client.
Hope that helps and is not too spammy.
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication